Note 1243085 - Available Documentation for GRC Access Control

26.07.2013 Page 1 of 13

SAP Note 1243085 - Available Documentation for GRC AccessControl

Note Language: English Version: 23 Validity: Valid Since 01.08.2012

Summary

SymptomLink to available GRC Access Control Documentation.

Other termsAccess Control, Virsa, Risk Analysis and Remediation, Compliant UserProvisioning, SuperUser Privilege Management, Enterprise Role Management,Compliance Calibrator, Access Enforcer, Firefighter, Role Expert,Documentation, Access Risk Management, Access Request, Emergency AccessManagement, Business Role Management

Reason and PrerequisitesProvide shortcuts to the available documentation.

SolutionDocumentation is available in various areas of the SAP Ecosystem. Thisnote is meant to provide an overview of where different information isstored.

The four main documentation repositories are below. The type ofdocumentation under each is described in the following sections.

1. Service Marketplace2. help.sap.com3. Business Process Expert Site (BPX)4. SAP Notes

Service Marketplace

There are many pieces of information available on the SAP ServiceMarketplace. Below are the key areas where this information is stored:

o Release Notes. This includes the new features added in 5.3 (ascompared to 5.2) and in 10.0 (as compared to 5.3). There are alsodocuments for 5.2 but no customer should be implementing 5.2 atthis time.

https://service.sap.com/releasenotes

Release Notes.-> Analytics -> Governance, Risk, Compliance (GRC) ->Access Control

o Master, Installation, Upgrade, Configuration and Security Guides. Guides are available for 4.0, 5.1, 5.2, 5.3 and 10.0

https://websmp203.sap-ag.de/support

Installation & Upgrade Guides > Analytics> Governance, Risk, andCompliance -> Access Control

26.07.2013 Page 2 of 13


From there, choose the version of application you're using.

o Support pack schedule. This will show the planned dates of whensupport packs are scheduled to be released for 4.0, 5.2 and 5.3.

https://service.sap.com/ocs-schedules

GRC Access Control Support Package Schedule

o Product Availability Matrix. This location will show themaintenance dates for our various product versions. These are thedates through which the application version will remain supportedby SAP GRC Support.

https://service.sap.com/~form/handler?_APP=00200682500000002212&_EVENT=DISPLAY

Search for Access Control and click on Search in PAM.

This will display the 5.3 and 10.0 maintenance dates.

Search for Firefighter and this will give you maintenance dates for4.0 and 5.2.

Once you select a version, click on the Languages tab and you cansee what languages are supported for each version of our product.

o Sizing Guide. This provides an overview of how best to size theGRC Access Controls hardware for optimum performance. The linkbelow is specific to version 5.3.

https://service.sap.com/~sapidb/011000358700000435122007E

Below is the Sizing Quide for 10.0:

https://websmp206.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000738725&

help.sap.com

Beginning with Access Control 5.3, the information contained in the UserGuides previously stored on the Service Marketplace have been moved to theSAP Help Portal. The exact link is below:

http://help.sap.com/saphelp_grcac53/helpdata/en/45/92c7fa00494714a4162ad707d9b328/frameset.htm

This is similar to the Help for other application components of SAP.

In addition to GRC specific help, BI integration (as of 5.3) is alsoavailable on help.sap.com

http://help.sap.com/saphelp_nw70/helpdata/en/bc/52a4373f6341778dc0fdee53d224c8/frameset.htm

Version 10.0 help documentation is located at the link below:

26.07.2013 Page 3 of 13


http://help.sap.com/saphelp_grcac10/helpdata/en/16/7a5f2e29744e078f9305017fee2fc2/frameset.htm

Business Process Expert

Below is the link for Business Process Expert website. This website holdsmany Quick Reference Guides and other How-to documents.

https://www.sdn.sap.com/irj/sdn/bpx-grc

There are three key areas:

1. Under Key Topics - SAP BusinessObjects Access Control2. Under Key Topics - SAP BusinessObjects Access Control - SAP GRC AccessControl 5.33. Under All Articles on Governance, Risk and Compliance

This website is constantly being updated. The items listed below are justthe key documents out there, but there are many others and more willcontinue to be added.

Under Key Topics - SAP BusinessObjects Access Control

o GRC 10.0 Pre-Installation (PDF 1 MB)

The presentation explains the new architecture and the necessaryprerequisites for a successful installation of SAP BusinessObjects GRC 10.0and guides the reader through the installation procedure of the software.

o GRC 10.0 Post-Installation (PDF 673 KB)

The presentation explains the necessary post-installation steps in SAPBusinessObjects GRC 10.0.

o AC 10.0 Post-Installation (PDF 566 KB)

The presentation covers the basic steps required for setting up SAPBusinessObjects GRC 10.0. For setting up specific functionality pleaserefer to corresponding pre-implementation guide.

o AC 10.0 - Installation Checklist (PDF 580 KB)

This guide provides a checklist for your installation activities for theAccess Control 10.0 application.

o AC 10.0 Pre-Implementation From Post-Installation to First RiskAnalysis (PDF 709 KB)

26.07.2013 Page 4 of 13


This document allows implementation consultants and administrators to setupthe required functionality for running a user level risk analysis after thepost-installation has been finished. This is by no means a comprehensiveguide for setting up the Access Risk Analysis component, rather it allowstesting the application is working properly by setting up a basic testcase.

o AC 10.0 - Enhanced Access Risk Analysis

This document describes the major enhancements to the access risk analysiscapability of GRC, including end user customization and personalization. Itcovers how to navigate through the different reports, and also about newfunctionality such as new bulk maintenance, automation, audit trail, andmitigation options.

o AC 10.0 Pre-Implementation From Post-Installation to FirstEmergency Access (PDF 631 KB)

This document allows implementation consultants and administrators to setupthe required functionality for running an emergency access (firefighter)session after the post-installation has been finished. This is by no meansa comprehensive guide for setting up the Emergency Access Managementcomponent, rather it allows testing the application is working properly bysetting up a basic test case.

o AC 10.0 - Centralized Emergency Access (PDF 1 MB)

This document is a detailed guide on the emergency access capability ofAccess Control 10.0. It explains the basic concepts about emergency accessand provide details on how to configure the application. Also this documentincludes additional information on the types of logs available formonitoring the emergency accesses.

o AC 10.0 Pre-Implementation From Post-Installation to First RoleCreation (PDF 814 KB)

This document allows implementation consultants and administrators to setupthe required functionality for creating a single role in AC after thepost-installation has been finished. This is by no means a comprehensiveguide for setting up the Business Role Management component, rather itallows testing the application is working properly by setting up a basictest case.

o AC 10.0 - Business Role Management (PDF 3 MB)

This document allows implementation consultants and administrators to setupthe required functionality for creating roles in AC after thepost-installation has been finished. This guide provides the configuration

26.07.2013 Page 5 of 13


steps for setting up Business Role Management.

o AC 10.0 Pre-Implementation From Post-Installation to First AccessRequest (PDF 736 KB)

This document allows implementation consultants and administrators to setupthe required functionality for creating an access request after thepost-installation has been finished, please notice that it is required toconfigure Role Management before being able to request role assignments.This is by no means a comprehensive guide for setting up MSMP workflows,rather it allows testing the application is working properly by setting upa basic test case.

o AC 10.0 - Customizing Workflows for Access Management (PDF 1 MB)

This document allows implementation consultants and administrators to setupthe required functionality for enabling the workflow engine in AC 10.0. Youwill learn the main components of the new workflow engine and how tocustomize them, also how to create agents and initiators using FunctionModules and BRFplus.

o AC 10.0 - How to Customize Notification Templates for AC Workflow(PDF 827 KB)

This how-to-guide explains how to set up the SAPconnect communicationinterface in your application server in order to send out emailnotifications triggered by workflow events in Access Control 10.0. Thisguide provides a comprehensive overview of workflow events that can triggeremail notifications and notification variables used to populate the messagebodies with information that is specific to each request. The guide alsoexplains how the pre-delivered message bodies can be replaced by custommessages as well as how email reminders are set up.

o AC 10.0 - Managing Custom Fields for Access & Role Management(PDF 317 KB)

This document explains how to setup the required functionality for addingcustom fields to access requests and roles maintained in GRC 10.0.

o AC 10.0 - End User Personalization (PDF 895 KB)

This how-to-guide explains the End User Personalization concept in AccessControl 10.0 and the technical configuration to attain that functionality.

o AC 10.0 - Performing Segregation of Duties Review (PDF 1 MB)

26.07.2013 Page 6 of 13


This how-to-guide explains the Segregation of Duties Review concept and thetechnical configuration to attain that functionality.

o GRC 10.0 Integration Guide - Access Control 10.0 and NetWeaverIdentity Management (PDF 646 KB)

This document covers all the new web services for Access Control 10.0 andintegration scenarios with IDM solutions. The main foundation for thisintegration is based on NeetWeaver Identify Management 7.2.

o SAP BusinessObjects GRC 10.0 Integration Guide - Access and ProcessControl 10.0 (PDF 1 MB)

With the release of GRC 10.0, Access Control and Process Control areoffered as an integrated solution, both at the data layer and at the userinterface layer. This new unified platform enables increased harmonizationof key master data. Organization and process and control structures cannow be shared across components of Access Control and Process Control,which supports a more integrated approach to governance, risk, andcompliance. Access risks identified in Access Control can be mitigatedusing controls managed by Process Control, as an example. This documentdetails methods for harmonizing data across Access Control and ProcessControl.

Under Key Topics - SAP BusinessObjects Access Control - SAP GRC AccessControl 5.3:

o Getting Started with GRC Access Control

This page provides an overview of GRC Access Control. To maintaincompliance with current and future regulations, organizations mustimplement a sustainable, automated solution that provides end-to-endautomation for detecting, remediating, mitigating, and preventing accessand authorization risk across the business.

o GRC Access Control - Access Risk Management Guide (PDF 268 KB)

The access risk management guide helps you set up and implement riskidentification and remediation with GRC Access Control.

o GRC Access Control - Comprehensive, Cross-Enterprise Analysis,Remediation, and Prevention of Access Risk (PDF 343 KB)

Take an in-depth look at how SAP GRC Access Control - part of SAP solutionsfor Governance, Risk, and Compliance - is helping organizations close gapsin access risk. This broad access and authorization solution extends fromdesign time through runtime to ensure compliance to segregation of duties.

o SAP GRC Access Control: Migration/Upgrade to Release 5.2 (PDF 1.2MB)

As of GRC Access Control release 5.2 all Access Control capabilities arebundled to one software package. It is therefore neither recommended nor

26.07.2013 Page 7 of 13


supported to upgrade individual capabilities. This guide providesinformation for existing GRC Access Control customer upgrading theirexisting implementations from release 4.0 or release 5.1 to release 5.2.

o Tour the Five Building Blocks of SAP NetWeaver Security (1 hour 1minute)

This e-learning session provides an introduction to user management, trustmanagement, secure system management, application security, and auditing.

o The Three C's of SAP Identity Management - Centralization,Certified Partners and Compliance (PDF 407 KB)

One of the fundamentals of securing an SAP system landscape is useridentity management. This SAP Insider article discusses maintaining strictcontrol over the creation, authorization, and deletion of user identities,which is imperative for securing company data.

o J-SOX Insights (PDF 117 KB)

"J-SOX" is an unofficial term that refers to the Japanese requirementssimilar to Sarbanes-Oxley Act Section 302 (management certification) andSection 404 (management evaluation and report on internal controls) in theUSA. This FAQ about J-SOX appears here with the permission of Protiviti.

o J-SOX Flash Report (PDF 75 KB)

Information on Japanese compliance legislation as of November 2006. Thisreport appears here with the permission of Protiviti.

o How to Performance Optimize SAP GRC Access Control 5.3 (PDF, 303KB)

The guide provides an overview of the technical architecture of SAP GRCAccess Control 5.3 and a structured list of recommendations and preferredpractices for performance optimization.

o SAP GRC Access Control 5.3 - Pre-Installation - Voice Over (FLASH20,869 KB)

This eLearning session explains the necessary prerequisites for asuccessful installation of SAP GRC Access Control 5.3 and guides the readerthrough the installation procedure of the software. Underlyingpresentation: SAP GRC Access Control 5.3 - Pre-Installation (PDF 923 KB)

o SAP GRC Access Control 5.3 - How To - Apply Support Packages inAC5.3 - Voice over (FLASH 7,500 KB)

The presentation explains the necessary steps for a successful installationof a Support Package in SAP GRC Access Control 5.3 and guides the readerthrough the procedure. Underlying presentation: SAP GRC Access Control 5.3- HowTo - Apply Support Packages in AC5.3 (PDF 1,643 KB)

o SAP GRC Access Control - How To - Integrate GRC AC53 CUP and NW IdM

26.07.2013 Page 8 of 13


(PDF 1.438 KB)

This How-To guide explains the integration of SAP GRC AC 5.3 CUP andNetWeaver IdM 7.0.

o SAP GRC Access Control - Application Integration Documentation (PDF514 KB)

The purpose of this Quick Reference Guide is to provide best practices andinstructions on how to integrate the application capabilities of AccessControl (rel. 5.2) that also known as Access Enforcer (AE), ComplianceCalibrator (CC) and Role Expert (RE).

o SAP GRC Access Control 5.2 - Pre-Implementation Guide (PDF 1,265KB)

This guide provides guidelines and best practices for thepre-implementation of SAP GRC Access Control. Pre-implementation is theprocess of understanding customer requirements. It helps to lay a firmgroundwork for successful implementation of the application. The guideoutlines the different steps of the process and describes some of thefactors that influence performance and hardware requirements.

o SAP GRC Access Control 5.3 - Post-Installation - RAR - Voice over(FLASH 17,337 KB)

This eLearning session outlines necessary post-installation steps for theimplementation of risk analysis and remediation in SAP GRC Access Control5.3. Underlying presentation: SAP GRC Access Control 5.3 -Post-Installation - RAR (PDF 1,676 KB)

o GRC Access Control - Risk Analysis and Remediation (formerly VirsaCompliance Calibrator) Offline-Mode Risk Analysis (PDF 2,738 KB)

Risk Analysis may be performed in offline-mode (aka remote risk analysis).The process helps in detecting SOD violations in an ERP system withouthaving to connect online. Instead data from the ERP system is exported tofiles and subsequently imported to GRC Access Control by using the dataextractor utility.

o Background Jobs for Risk Analysis and Remediation (PDF 345 KB)

This document discusses the background jobs available in the context ofusing risk analysis and remediation in SAP GRC Access Control. Bestpractices on executing these jobs are given, e.g. the order in whichbackground jobs should be executed, the difference between full synch modeand incremental mode.

o Organizational Rules and Organizational Level Reporting (PDF 2,807KB)

Use this Quick Reference Guide to understand and create OrganizationalRules and perform organization level reporting.

o Risk Terminator Configuration (PDF 480 KB)

26.07.2013 Page 9 of 13


This how-to guide shows how to set up risk terminator to validate new rolesand assignments.

o Periodic Job Processing for Risk Identification and Remediation(PDF 134 KB)

SAP's solutions for Governance, Risk, and Compliance comprise GRC AccessControl, an application that handles sustainable prevention of Segregationof Duties violations. This Quick Reference Guide for periodic jobprocessing applies to the system's capability for risk analysis andremediation.

o Post-Installation Tasks for Risk Identification and Remediation(PDF 105 KB)

This Quick Reference Guide for post-installation tasks applies to thesystem's capability for risk analysis and remediation.

o Creating Roles and Users in SAP NetWeaver User Management Engine(PDF 46 KB)

This Quick Reference Guide describes the creation of roles and users in SAPNetWeaver User Management Engine (UME).

o Pre-Implementation Checklist for Risk Identification andRemediation (PDF 53 KB)

This Quick Reference Guide for a pre-implementation checklist applies tothe system's capability for risk analysis and remediation.

o GRC Access Control - Risk Analysis and Remediation (Release 5.2):Quick Reference Guide for Moving to Production (PDF 192 KB)

Moving GRC Access Control from a development/testing environment toproduction requires populating data in the production version so that riskanalysis can be performed and management views are available.

o Delta Quick Reference Guide 5.1/5.2 for Risk Analysis andRemediation (PDF 61 KB)

This Delta Quick Reference Guide outlines high-level differences betweenrelease 5.1 and release 5.2.

o SAP GRC Access Control 5.3 - Post-Installation - ERM - Part I -Voice Over (FLASH 17,122 KB)

This eLearning session explains the required post-installation steps forenterprise role management in SAP GRC Access Control 5.3. This is aprerequisite to start customizing and implementation of their rolemanagement. Underlying presentation: SAP GRC Access Control 5.3 -Post-Installation - ERM - Part I (PDF 668 KB)

o SAP GRC Access Control 5.3- Post-Installation - ERM - Part II -Voice Over (FLASH 7,355 KB)

This eLearing session runs through typical implementation steps of

26.07.2013 Page 10 of 13


enterprise role management in SAP GRC Access Control 5.3. It explains howroles may be created. Projects may apply a different methodology.Underlying presentation: SAP GRC Access Control 5.3 - Post-Installation -ERM - Part II (PDF 506 KB)

o SAP GRC Access Control 5.2 implementation guide for enterprise rolemanagement (PDF 91 KB)

GRC Access Control identifies and prevents access and authorization risksin cross-enterprise IT systems to prevent fraud and reduce the cost ofcontinuous compliance and control. This paper provides a quick referenceguide to understand the main features, business benefits, andimplementation best practices of the application's capability forenterprise role management (formerly known as Virsa Role Expert).

o SAP GRC Access Control 5.3 - Post-Installation - CUP - Voice Over(FLASH 14,607 KB)

This eLearning session outlines necessary post-installation steps to enablecompliant user provisioning in SAP GRC Access Control 5.3. Completing therequired post-installation tasks allows to start customizing andimplementation of individual workflows. Underlying presentation: SAP GRCAccess Control 5.3 - Post-Installation - CUP (PDF 635 KB)

o Configuring LDAP connector in compliant user provisioning (PDF 243KB)

When implementing compliant user provisioning in GRC Access Control thesystem is typically linked to a LDAP repository. This paper outlines theconfiguration of LDAP connector and provides sample mappings for ActiveDirectory, SunOne, E-Directory, and Tivoli.

o SAP GRC Access Control: Compliant user provisioning goes IdentityManagement (PDF 1.19 MB)

According to Gartner, Governance, Risk, and Compliance (GRC) is theultimate driver for today's identity management projects. SAP GRC AccessControl has the technology to provide customers with a cross ERP-platformsolution for compliant user provisioning and at the same time provides anopen API/interface for existing identity management vendors to integrateseamlessly with SAP GRC Access Control for an end-to-end user, role andrule provisioning solution.

o Configuring Requestor Landing Page for Compliant User Provisioning(PDF 220 KB)

The purpose of this article is to provide the procedure required tocustomize the requestor landing page i.e. the request types on the requestaccess screen in compliant user provisioning in SAP GRC Access Control.

o Configuring Compliant User Provisioning into CUA Systems (PDF 457KB)

For GRC Access Control to be able to perform user provisioning into Central

26.07.2013 Page 11 of 13


User Administration (CUA) systems certain special configurations related tocompliant user provisioning (formerly Virsa Access Enforcer) need to bedone. This article outlines the configuration procedure for provisioning towork with CUA systems. The paper also discusses troubleshooting.

o Compliant User Provisioning Quick Reference Guide (QRG): RiskAnalysis URI Configuration (PDF 280 KB)

SAP GRC Access Control - part of SAP solutions for Governance, Risk, andCompliance - is helping organizations close gaps in access risk. This guideindicates how to link the application's capability for compliant userprovisioning with the application's capability for risk analysis andremediation.

o Compliant User Provisioning QRG: HR Triggers (PDF 393 KB)

Compliant user provisioning may be triggered by SAP's human resourceapplication. This quick reference guide outlines how set up that HR link.

o SAP GRC Access Control 5.3 - Post-Installation - SPM - Voice Over(FLASH 12,053 KB)

This eLearning session outlines post-installation tasks that are aprerequisite for the implementation of superuser privilege management inSAP GRC Access Control 5.3. The session explains how to effectively set upsuperuser privilege management in SAP backend systems and enable the Javareporting component, which allows for centralized access to log reports inmultiple SAP backend systems. Underlying presentation: SAP GRC AccessControl 5.3 - Post-Installation - SPM (PDF 1,169 KB)

o SAP GRC AC 5.3 Integrated Project Plan Article(PDF 88 KB)

The integrated Access Control project plan contains steps to be performedin the implementation of Access Control. The steps and task durationsrepresent a basic implementation and may be modified to suit a company'sproject.10 Dec 2008

o SAP GRC AC 5.3 Implementation Considerations for Enterprise RoleManagement Article(PDF 180 KB)

This document provides a quick reference guide to understand the mainfeatures, business benefits, and implementation best practices of theAccess Control 5.3's capability for enterprise role management.01 Dec 2008

o SAP GRC AC 5.3 Implementation Considerations for SuperuserPrivilege Management Article(PDF 151 KB)

GRC Access Control identifies and prevents access and authorization risksin cross-enterprise IT systems to prevent fraud and reduce the cost ofcontinuous compliance and control. This document discusses the key featuresof Superuser Privilege Management. It also provides scenarios to assistproject teams in deciding whether to implement role-based or ID-basedfirefighting.01 Nov 2008

26.07.2013 Page 12 of 13


Under All Articles on Governance, Risk and Compliance:

Link - https://www.sdn.sap.com/irj/scn/articles-grc-all

This link will show all the GRC articles from all areas in the BusinessProcess Expert website.

SAP Notes

Corrections to documentation or additional information can also be storedas SAP Notes. You can use the SAP Note Search function to identify whetherthe issue you encounter has a SAP Note.

Below are some key SAP notes relevant to providing additional informationand documentation about Access Control. This is just an example of some ofthe SAP Notes available. You may perform a SAP Note search on the ServiceMarketplace for component GRC* to see all of the SAP Notes released.

1085097 Lead Approver radio button not checked in Role Upload1134833 AE5.2 - Mass Copy of Requests limitation1035063 5.X - Setting up Blanket Mitigation Controls1055976 Firefighter 5.2 - Unable to run the SoD analysis report1145700 Risk Analysis not recommended for multi-user change requests986996 Best Practice for SAP CC Rules and Risks1178372 Risk Analysis and Remediation - Cross and Logical systems1178370 Risk Analysis and Remediation - Table sizes1179717 Risk Analysis and Remediation - Management Reports

The following OSS Notes have been produced on specific BI related issues:

1155096 Master Data Process Chain failure1155095 Alert Header DSO refresh required in process chain1155468 Alert Details (0GCC_ALD) InfoCube Start Routine fails1155469 InfoPackage Date Selection in Delta Processing1155913 Error in deletion programs associated with delta processing1229932 Duplicate data records in CUP language dependent text DTPs1170897 Permission Violations Delta Deletion Programs Generation

Header Data

Release Status: Released for CustomerReleased on: 01.08.2012 15:58:30Master Language: EnglishPriority: Recommendations/additional infoCategory: FAQPrimary Component: GRC-SAC SAP GRC Access Control - Please usesub-components

26.07.2013 Page 13 of 13


The Note is release-independent

Related Notes

Number Short Text

1673593 Updates to Customizing for GRC 10 Due to SP08

1647291 Access Control 10.0 SP08 Report Documentation Updates

1602186 GRC Access Risk Analysis tables

1369045 AC SP09 Data Mart Design Description

1261750 Upgrade Java Netweaver and GRC applications to AC 5.3

1153091 Role Expert Implementation Guide

1054121 The SAP Ecosystem in a Nutshell

Documents

Note 1243085 - Available Documentation for GRC Access Control